HIPAA Electronic Protected Health Information (ePHI)

Electronic protected health information or ePHI is defined in HIPAA regulation as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media.

HIPAA regulation states that ePHI includes any of 18 distinct demographics that can be used to identify a patient. Common examples of ePHI include:

  1. Name
  2. Address (including subdivisions smaller than state such as street address, city, county, or zip code)
  3. Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. Web URLs
  15. IP address
  16. Biometric identifiers such as fingerprints or voice prints
  17. Full-face photos
  18. Any other unique identifying numbers, characteristics, or codes

Additionally, HIPAA sets standards for the storage and transmission of ePHI.

Media used to store data includes:

  • Personal computers with internal hard drives used at work, home, or while traveling
  • External portable hard drives
  • Magnetic tape
  • Removable storage devices, including USB drives, CDs, DVDs, and SD cards
  • Smartphones and PDAs

Means of transmitting data via wi-fi, Ethernet, modem, DSL, or cable network connections includes:

  • Email
  • File transfers

Confidentiality, Integrity, Availability of ePHI

The HIPAA Security Rule sets specific standards for the confidentiality, integrity, and availability of ePHI. HIPAA beholden entities including health care providers (covered entities) and health care vendors/IT providers (business associates) must implement an effective HIPAA compliance program that addresses these HIPAA security requirements. Confidentiality, integrity, and availability can be broken down into:

  • Confidentiality is maintaining that ePHI is not illegally disclosed without proper patient authorizations in place
  • Integrity is ensuring that ePHI that is transferred or maintained by a health care organization will not be accessed except by appropriate and authorized parties
  • Availability is allowing patients to access their ePHI in accordance with HIPAA security standards

Get HIPAA Compliant Today

Get Started!